Three years after a massive breach of the U.S. Office of Personnel Management which led to the theft of millions of records, the confidential personal information of federal employees remains at risk of being stolen, according to a new federal audit.
The Office of Personnel Management (OPM) “has made progress in implementing our recommendations for improving its security posture, but further actions are needed,” the Government Accountability Office (GAO) wrote in a report this month to Congress.
“As of September 20, 2018, the agency had implemented 51 (about 64 percent) of the 80 recommendations,” the GAO report said of the list of fixes suggested in the wake of the OPM hack.
Still, the OPM “had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations,” the federal watchdog agency noted in its report.
In 2015, the OPM reported that the personal information of 22 million current and former federal employees was stolen.
Sensitive data such as names, birth dates, addresses and Social Security numbers of government employees, as well as those of their friends, families and contractors were stolen during the breach.
“If an individual underwent a background investigation through OPM in 2000 or afterwards, it is highly likely that the individual is impacted by this cyber breach,” the OPM reported after the 2015 breach -- which has been described as the largest-ever hack of federal employee data.
At the time, Sen. James Lankford, chairman of the subcommittee that oversees government operations, openly questioned security procedures at OPM.
“This breach raises significant concerns as to the security of OPM’s information technology (IT) systems and the integrity of its data management.”
Lankford, R-Oklahoma, said he was also troubled that the intrusion was not the agency’s first.
“OPM’s systems were discovered to have been breached in March 2014.”
The Office of Personnel Management, which conducts background investigations of federal employees and decides who gets what type of security clearance, still has not completed more than a third of the GAO’s 80 data security recommendations, the watchdog agency reported.
“Until OPM implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption,” the report notes.
OPM spokesman Parker King declined to comment on the report, citing an ongoing lawsuit that stemmed from the 2015 intrusion.
Two federal employee unions -– American Federation of Government Employees (AFGE) and National Treasury Employees Union (NTEU) -– filed separate lawsuits against OPM, claiming the agency was negligent in allowing sensitive information of their members to be stolen.
“In 2015, the Office of Personnel Management exposed millions of current and former federal workers’ sensitive information, and they still have not properly accounted for or compensated the victims of this oversight,” AFGE president J. David Cox Sr. told ABC News in an email.
“Not only are they avoiding taking care of those whose private information was exposed, but now we’re finding out that they are still potentially exposing those workers and the thousands who have joined the federal workforce since,” Cox added.
NTEU president Tony Reardon also told ABC News in an email that "the OPM data breaches announced in 2015 are going to haunt former and current federal employees for the rest of their lives."
In the agency’s formal response to GAO’s auditors, OPM officials insisted that they have made progress.
“OPM is dedicated to continued implementations of the remaining recommendations, projecting implementation of five more recommendations during this final quarter” of the current fiscal year.
The bulk of the remaining fixes are scheduled to be in place by the end of next year, OPM officials told the auditors.
Among the changes that have yet to be made are five that were termed “priority” by the GAO. Those include eliminating security vulnerabilities and improving plans for securing government computer networks.
“It is the government’s responsibility to take every precaution to mitigate the risk of data breaches that threaten privacy and national security,” said Tara Vales, a spokeswoman for Rep. Michael Quigley, D-Illinois, the top Democrat on the House committee that oversees general government operations.
Of the remaining 29 recommendations made by GAO, OPM officials have previously said that the office would not put in place one -– specifically, the installation of a security tool on computer workstations used by government contractors.
OPM officials told GAO investigators that the agency has controls in place that accomplish the same thing. So far, OPM has not provided the GAO with any evidence to back up that claim, according to the new report.